The EU’s General Data Protection Regulation (GDPR) was born while the UK was still a part of the EU, even though Brexit was already looming at that point, and became law in the UK in the form of the Data Protection Act 2018. Many companies and other organisations found implementation difficult due to the complexity of the policies, procedures and technical measures necessary for compliance, especially smaller entities for whom all these legal requirements were considered more onerous. The rule changes did not only affect the larger corporations but were also required for much smaller organisations, be they a local orchestra or a village scout troop.
Certainly, many businesses stated that they found attaining compliance to be a drain on time and resources, and we saw some headline-grabbing fines for the more serious breaches. Some US companies decided compliance was too onerous and chose to stop processing EU citizens’ personal data, even if that meant no longer selling into the EU.
One of the promised dividends of Brexit was a bonfire of what was often colloquially referred to as EU “red tape”, as yet largely unrealised, although concrete steps have been taken in the area of data protection. The Data Protection and Digital Information Bill (DPDI) is intended to usher in an alternative UK privacy regime which is more business-friendly but any UK business still operating in the EU will still have to comply with Member State law derived from GDPR so the practical ramifications will be limited. A key question, however, is whether the resulting UK legislation will constitute sufficient dilution to jeopardise the UK’s adequacy agreement with the EU, which allows for the continuing interchange of personal data between the two without any case by case vetting?
For example, concern has been expressed that consumers will be more vulnerable because the Secretary of State will supersede the Information Commissioner’s Office as ultimate overseer. This could make political considerations trump protecting the public as a priority. This worries many lobbyists given recent high profile cases of data misuse by big tech and the exponential evolution of AI making transparency in processing, one of the EU’s core data protection principles, increasingly unworkable. A good illustration of this issue is the EU’s ruling last year that Meta’s reliance on the defence of legitimate interest to collect user data for behavioural advertisement would no longer wash. No such ruling applies in the UK so, arguably, UK users remain vulnerable. Social media companies valuing the UK customer base, on the other hand, will see this divergence as a good thing.
Moving forward, the Secretary of State may oversee further divergence from GDPR standards in the name of fostering a business-friendly environment, matching the UK’s policy of presenting its evolving regulatory approach to Artificial Intelligence as less likely to stifle innovation than the EU’s rapidly crystallising AI Act.
We can conclude with two bits of news, one bad and one good. The bad news is that many UK businesses will now have to accommodate two separate and possibly increasingly disparate data protection regimes, one on each side of the Channel. The good news is that, the changes are likely to mean that the village orchestra and the local scout troop may have less red tape to contend with.